Saturday, 27 September 2014

dhclient-script shell

In light of the recent bash vulnerability, perhaps it would make sense to
evaluate whether /sbin/dhclient-script really requires bash or if it can perhaps
be made POSIX compatible instead?

$ head -n1 /sbin/dhclient-script
#!/bin/bash

My own opinion is that as long as bash supports function definitions in
environment variables, it is not sane for use in security-sensitive contexts.
That Debian/Ubuntu use dash as /bin/sh makes them quite a bit better off than
some other distros, but we should probably be looking to evaluate where bash is
invoked via shebang lines and take action to limit exposure that way.